AZ-700 Microsoft Azure Networking Solutions – Azure Private Link Service and Azure Private Endpoint

1. Azure Private Link Service Overview

So we’ve now come to the last major topic of the exam which says design and implement private access to Azure Services and is worth ten to 15%. This objective does contain three subojectives. The first one being Private Link Service and Private Endpoint, the second one being Service Endpoints and the third one being Dedicated Platform as a service services on your VNet. And so these are somewhat all related when it comes to doing private connections between two endpoints that do not necessarily travel over the public internet. So in this first section we’re going to talk about private link and private endpoint. So first let’s talk about the private link service.

The concept is rather interesting. Let’s say you have a solution, some series of VMs and websites, but you don’t want to provide public access to it. You don’t want to have a public IP address, a domain name even with security, you just don’t want that to be out there. And so you have a subnet here who’s basically got all inbound traffic denied. And what you can do is you can actually generate the private link service link for this solution and be able to share that with someone else. They then create a private endpoint on their own network that links to your private link.

You approve that connection and they’re able to connect to your load balancer and the applications behind it over the private Microsoft network. And the traffic never travels over the public internet, so these two networks don’t have to be on the same subscription. There’s no trust relationship here. You’re simply expressing to them a private link that they can add to their network as a private endpoint. They can interact with that private endpoint as if they were interacting with the load balancer running locally and Microsoft takes care of the rest. So there’s a pretty interesting way of sharing basically a URL or an endpoint without having to make that public.

2. Create Standard Load Balancer

So the first thing that is required we’re going to create a private link and then later we can create a private endpoint that connects to the private link a private link is basically a link to a standard load balancer and so what we’re going to have to do to start is create an internal load balancer. So this is a load balancer that does not have a public IP address. We can again with this search for the, the word load balancer looking for Microsoft load balancer here it is and we’re going to click create and in this case we’re going to choose the standard internal load balancer. I’m going to put this inside the AZ 700 course resource group for me and I’m going to call this AZ new LB West US is the region same as the resources that it’ll contain again internal standard load balancer.

I do put it onto my virtual network and in this case I’m going to put this on the mid tier because this tier we know is private shouldn’t be accessible from the internet and so we’ll put that there no tags and I’m going to say create. All right, that was pretty quick. Let’s say go to resource and we’ve covered this before in terms of creating a load balancer we’ve got our front end configuration which should be a private IP address. You’ll see, this ten dot, being a private address, shouldn’t be accessible by anyone outside of the VNet. Then we will have the back end pools. And so I’m going to create a new pool and I’ll conclude the mid tier VM as the resource. So let’s say add two, add pool B, pool one, and we’re going to add VM three, which is the mid tier add resource. All right so that’ll be the only resource behind the load balancer. Alright, now I’m going to go and head and turn this on. We probably do need to make sure that this is operating well. So I’m going to go up here. We’re looking for VM three and I’m going to say start. All right, let’s go back to our load balancer. And we’re going to need to then set up the rules and the health probes. So we’re going to create a health probe. TCP port 80 seems fine to me since we only have the one server for now.

Shouldn’t matter too much, but we’ll create it and then we’ll go to the load balancing rules. We’ll add a rule. So this is rule one and we’re going to have that private IP address over TCP port 80. Back in port 80, we only have the one pool, we have the one health probe, and that’s the rule. Rest of the defaults. So adding a standard load balancer to a single VM doesn’t really give us anything per se. But you do need to have a standard load balancer in order to create this dynamic link. So it’s sort of a necessity. Obviously this has a cost to it. All right, so we have the load balancer running, we have the VM running. I probably should do a quick test to see that there’s a web browser on this responding well.

So I’m going to do that real quick. So it’s a good thing I checked it wasn’t actually a web server installed on the mid tier up till now. So I had to go and install the web server. So now I can verify that that’s working and then I can also go to the load balancer I guess. And the load balancer is 69 and it’s pointing to the server as well. So I checked both the private links.

So now what we’re going to do is we’re going to continue on. We’re going to basically go back to your tier server and we’re going to oh actually go back to the load balancer and we’re going to create a private link on this load balancer. So we go create a resource and we’re looking for private link. So when we come back we’re going to get underway to create a private link so that we can then share a link to this load balancer and let people join.

3. Create Azure Private Link and Private Endpoint

Alright, so let’s create a private link to this load balancer. I go into the portal, the marketplace, I look for Private Link and I’m going to say Create. So this is actually pretty easy to create. We’re in here and we’re going to say Create Private Link Service and I’m going to put this into my resource group, give it a name, PrivateLink service and it’ll be in West US. In this case under Outbound settings. I’m going to select my load balancer. We have to select the frontend IP address, we have to put it onto a subnet and we’re going to leave the default settings. It’s going to create us a dynamic IP address for this. So next up we’re going to say Security and we’re just going to use role based security. So anyone who has access to the link needs to have been granted access control permissions, skip the tags and say Creates.

So once this Private Link service is created, then it’s going to be just sitting there waiting to receive traffic. And then next we’re going to have to create a Private Endpoint to connect to this Private Link. So we’ll wait for that to complete. All right, so deployment is complete. Now what we need to do then is to create a Private Endpoint. Before we do that, we’re going to need some other place to connect to this. Obviously these things have to be part of different networks. We can’t reuse the same Virtual Network to test this. So actually I’m going to start a new Virtual Network in a separate IP address range. So I’m going to call this 700 Private Endpoint and put it in a different region of course. And this is going to be, I’m going to put this in East US just to show that we don’t have to even be in the same region. Now for this range, I’m going to go 1010 and do a bit more of an unconventional approach here. So 1010 and we have to add a subnet. I’m going to call it a subnet.

Default subnet range is 1010 and we’ll just do around half of the addresses and say, okay, we’re going to not have any of these things by default and say Create. All right, so that Virtual Network is complete. Now we can go back to the private link center. We saw that we have created a Private Link from here. Now we can use this to create a Private Endpoint. I’m going to put this in the Private Endpoint Resource Group and call it Private Endpoint as well. In East US. Two. Now we do have this option to connect to a bunch of different kinds of resources. You can see Cosmos, DB redis cache. Compute. In this case we’re connecting to a Private Link, right? Because we just created a Private Link service. So it’s Microsoft network, Private Link tidy in there and then we can choose the Private Link service.

So this is going to be deployed to the brand new virtual network that we created, say, review and create and create. All right, so that deployed. Now, you might think, okay, what have we got here? Right? So if I go to the Virtual Network, we saw that we created a brand new virtual Network, a brand new subnet, and we do have a private endpoint connected. And that endpoint has been given an address 10100 Four. So what we have here is a way to connect to the other virtual machine 100 68 on this network.

It’s basically like I did a peer to peer connection between the two Vnets, but I didn’t. I actually just connected one remote service into here and gave it a local IP address. So there’s no peer to peer connection. It is as if it’s a local connection. Now, in order to test this, I’m going to have to get onto this private endpoint network. So what I’m going to do, actually, is I’m going to create a VM with a public IP remote into it, and then we should be able to load up the website using this IP address. And I’ll do that in the next video.

4. Test Azure Private Link Service

So what we need to do is test this is to connect to the Endpoints IP address from the Virtual Machine. Quick reminder here that we have our VM running behind a standard load balancer that’s got Private Link service enabled on its own Virtual Network. And now we’ve created the Private Endpoint and I’ve created a Virtual Machine on this network and we’re going to try to test this dotted line. So to do this, I’m going to remote desktop into my brand new VM. It’s running on the same network in the same region as the Azure Private Endpoint. This is the first time I am loading it up and now I have to use the IP address. So it is 10100 four. Let me just double check that. Right, 100 four.

That’s what we’re expecting to bring us to that load balancer. TADA. So first time we checked, it works great. So, yeah, we’ve basically been able to create a private only over the Microsoft network, not over the public Internet connection between two networks. We don’t have to establish a peer relationship. We didn’t have to create Virtual Network gateways and do any kind of things like that. It’s purely a private link that we can share. I guess because we’re running on the same account, we didn’t need to get approval for it. Otherwise you would then have to approve those connections. But we didn’t have to do that in this case. Awesome.

• Category: Uncategorized